The Unofficial NT Hack FAQ

[ Return to TOC | Return to FAQ Page ]


Section 07

Miscellaneous Info on NT

07-1. How do I bypass the screen saver?
07-2. What can sniffing get me?
07-3. How can I detect that a machine is in fact NT on the network?
07-4. Can I do on-the-fly disk encryption on NT?
07-5. Does the FTP service allow passive connections?
07-6. What is this "port scanning" you are talking about?
07-7. Does NT have bugs like Unix' sendmail?

07-1. How do I bypass the screen saver?

If a user has locked their local workstation using CTRL+ALT+DEL, and you can log in as an administrator, you will have a window of a few seconds where you will see the user's desktop, and even manipulate things. This trick works on NT 3.5 and 3.51, unless the latest service pack has been loaded.

If the service pack has been loaded, but it's still 3.X, try the following.


07-2. What can sniffing get me?

If an older version of LANMAN is being used, passwords are sent plaintext (see section 10-02 for details). However, more common are shares that are passworded. Accessing these shares sends passwords in the clear.

Any traditional protocols (FTP and telnet for example) that send passwords in the clear could be sniffed, and it is quite possible that a user's FTP password is the same as their regular NT account password.


07-3. How can I detect that a machine is in fact NT on the network?

Hopefully it is a web server, and they've simply stated proudly "we're running NT", but don't expect that...

Port scanning will find some. Typically you'll see port 135 open. This is no guarantee it's not Windows 95, however. Using Samba you should be able to connect and query for the existence of HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT and then check \CurrentVersion\CurrentVersion to determine the version running. If guest is enabled, try this first as Everyone has read permissions here by default.

Port 137 is used for running NetBios over IP, and since in the Windows world NetBios is used, certainly you can expect port 137 to be open if IP is anywhere in use around NT.

Another possible indication is checking for port 139. This tells you your target is advertising an SMB resource to share info, but it could be any number of things, such as a Windows 95 machine or even Windows for Workgroups. These may not be entirely out of the question as potential targets, but if you are after NT you will have to use a combination of the aforementioned techniques coupled with some common sense.

To simplify this entire process, Secure Networks Inc. has a freeware utility called NetBios Auditing Tool. This tool's intent is to test NetBios file sharing configurations and passwords on remote systems. It is discussed more in detail in section 05-5.


07-4. Can I do on-the-fly disk encryption on NT?

Try Shade. It allows you to create an encrypted disk device inside a file. This "device" can then be formatted using either NTFS or FAT and used as a regular disk. Shade encrypts on every write operation and decrypts on every read operation to this new device.

Look for Shade at: http://softwinter.bitbucket.co.il/shade.html


07-5. Does the FTP service allow passive connections?

I was playing around in the registry, looking for odd things, and found this strange entry under <System\CurrentControlSet\Services\MSFTPSVC\Parameters>:

    <EnablePortAttack: REG_DWORD: >
If set to 1, you can do passive connections depending on the TCP port you use. A passive connection is where you can connect to FTP site alice.com, and from there connect to site bob.com. It is used by hackers because any odd connections at bob.com will appear in logs as coming from alice.com. Most typical is a port scan.

A port scanner for doing this from a Unix box can be found at:

    http://www.nmrc.org/files/unix/ftp-scan.c

07-6. What is this "port scanning" you are talking about?

Port scanning is a technique to check TCP/IP ports to see what services are available. For example port 80 is typically a web server, port 25 is SMTP used by Internet mail and so on. By scanning and seeing what TCP/IP ports are listening at the end of a TCP/IP address, you can get an idea as to what type of box the target might be, what services are available, and possibly plan an attack if you are aware of an exploit involving a particular service.

If port 135, 137, 138, and 139 are open on the target of a scan, it is quite possible that the target is NT (although it could be Win95 or even WFW 3.11, see section 07-3 above).

Port scanners are widely available for a variety of different platforms. Check section 10-5 for the location of several.


07-7. Does NT have bugs like Unix' sendmail?

If the server is running a POP3 server like Exchange, you can use a brute force technique to guess passwords. Odds are that the sys admin is not logging or looking at logs for this stuff. In particular, if you are dealing with a sys admin that isn't used to the wild and wooly Unix world, it may not even occur to the admin to look. This is something that NT folks are just now having to face, whereas their Unix admin counterparts have had to maintain this level of scrutiny for a while.


[ Return to TOC | Return to FAQ Page ]